topic Re: Automatic HIDE NAT for BGP Failover without ISP Redundancy in Firewall and Security Management

Automatic HIDE NAT for BGP Failover without ISP Redundancy

dphonovation — Fri, 06 Jan 2023 19:19:53 GMT

Hello fellow Checkpointers,

I have two ISPs with a peer on each side providing me a default gateway via BGP. (I also advertise 4 different ranges to them)

Since it's BGP, the documentation is quite clear that "ISP Redundancy does not support dynamic routing protocols" - so using it is out of the question.

I imagined weighting the peers so that ISP1-Peer is preferred over ISP2-Peer.

This means I would be receiving 2 advertisements for 0.0.0.0/0, one from each peer. ISP1-Peer's route would be installed unless it goes down, in which case ISP2-Peers default advertisement would be installed into the routing table.

Then I run into a NAT problem? (For now I'm just trying to NAT behind the gateways real address, not any of my BGP addresses). I'm used to doing manual NAT rules.

I've been doing some reading on how ISP Redundancy does this in sk174197 and sk34812.

In an attempt to recreate this myself, I tried enabling "Automatic Address Translation Rules" for each of my cluster members and selecting "Hide behind gateway".

This installs a machine hide nat rule with:

fw1-obj any any fw1-obj (Hiding Address) Original Original

But when I push policy, policy verification fails with: "Module fw1-obj cannot have a NAT rule installed on 'All', the module cannot translate its own address".

And now I'm fairly confused on how to accomplish this. Would appreciate some guidance from those smarter than I.

Re: Automatic HIDE NAT for BGP Failover without ISP Redundancy

dphonovation — Fri, 06 Jan 2023 20:15:33 GMT

I was trying this through the cluster member properties window.

It appears I can use the automatic hide object for a given network/host object - but then I can't really organize the NAT screen into my own sections.

Once I set it on a network for "Hide Behind Gateway", it appears to be using the firewall members Cluster VIP on the WAN interface of ISP-Peer-1 (the current active default route) - so I would assume if the default route failed over to ISP-Peer-2 - it would flip to that.

So I guess the question becomes - is it possible to configure what "Automatic Hide NAT" does - but manually?

I also tried the LocalMachine dynamic object as cited by @PhoneBoy suggested in this thread: https://community.checkpoint.com/t5/SMB-Gateways-Spark/Hide-NAT-using-quot-Interface-quot-object/m-p/153559#M7133 but to no avail

Re: Automatic HIDE NAT for BGP Failover without ISP Redundancy

the_rock — Fri, 06 Jan 2023 20:52:17 GMT

You can configure that settiong manually, but when you enable it through the object itself, it places rule(s) on its own in NAT rule base.

Re: Automatic HIDE NAT for BGP Failover without ISP Redundancy

dphonovation — Fri, 06 Jan 2023 20:55:33 GMT

Forgive my ignorance, how does one accomplish creating a Manual Hide NAT rule in the same way Automatic hide nat rules behind "Gateway" are done?

The abstraction of "use whatever ip is on the interface it gets sent out on" is what I'm after.

It's been a tough week 😞

Re: Automatic HIDE NAT for BGP Failover without ISP Redundancy

Lloyd_Braun — Fri, 06 Jan 2023 21:27:47 GMT

You used to be able to configure hide NAT for 0.0.0.0 to hide NAT behind the interface that you are exiting. I have not tried that in a few versions so your mileage may vary. Looks like it is not recommended anymore: Using a "Hide behind IP address 0.0.0.0" as the translated source object (checkpoint.com)

Re: Automatic HIDE NAT for BGP Failover without ISP Redundancy

the_rock — Fri, 06 Jan 2023 21:47:32 GMT

No ignorance, all good, happy new year btw! Anyhow, what you can do to follow my example is pick random subnet, enable hide nat option and you will see 2 rules added in NAT rulebase, that will give you an idea.

Andy

Re: Automatic HIDE NAT for BGP Failover without ISP Redundancy

Chris_Atkinson — Fri, 06 Jan 2023 23:02:18 GMT

Some options in no particular order for lab testing might be:

- Try using Zone objects with your NAT policy (different zone for each interface/ISP)

- NAT using an object 0.0.0.0 to dynamically pickup the local interface address

- Try Dynamic objects like LocalMachine

- NAT using addresses from the advertised subnets

- Use a router external to CP to host the ISP connections

Re: Automatic HIDE NAT for BGP Failover without ISP Redundancy

dphonovation — Mon, 09 Jan 2023 11:35:25 GMT

Thanks for all the ideas.

@Chris_Atkinson wrote:
Some options in no particular order for lab testing might be:
- Try using Zone objects with your NAT policy (different zone for each interface/ISP)

I don't even get the option to select a zone in Translated Source

- NAT using an object 0.0.0.0 to dynamically pickup the local interface address

I thought this was no longer recommended as mentioned here: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk40637

- Try Dynamic objects like LocalMachine

I tried this but I got warnings like "Dynamic Object localmachine is used in the policy but not defined on the security gateway". Which lead me to: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk166225

.. which I tried and then I got policy installation errors: "Failed to find a dynamic interface on DAIP module"

- NAT using addresses from the advertised subnets

This is an option

- Use a router external to CP to host the ISP connections

While this makes sense I'd like to avoid it. The CP will be terminating VPNs and I have a need to steer traffic down a specific VPN tunnel which will become problematic. Nevermind adding routing complexity. 2 of the CPs actually live on a different physical sites and what I intend to happen if the interlink goes down is: Side1 can only communicate with ISP1 and Side2 can only communicate with ISP2.

Re: Automatic HIDE NAT for BGP Failover without ISP Redundancy

dphonovation — Mon, 09 Jan 2023 11:39:32 GMT

Thanks.

So what I get with using the Automatic Hide NAT behind gateway option using a given subnet is something like this:

SubnetA SubnetA any Original Original Original

SubnetA any any (H) Subnet A (Hiding Address) Original Original

When I try to recreate this manually:

SubnetA SubnetA any Original Original Original

SubnetA any any (H) Subnet A Original Original

I get "Invalid Object Subnet A in Translated Source of Address Translation Rule. Valid objects are host, gateway, gateway cluster, router, dynamic object and address range with one object.

Re: Automatic HIDE NAT for BGP Failover without ISP Redundancy

Chris_Atkinson — Mon, 09 Jan 2023 11:46:41 GMT

Note using Zones in the NAT policy requires Management version R81 or higher.

Re: Automatic HIDE NAT for BGP Failover without ISP Redundancy

dphonovation — Mon, 09 Jan 2023 11:51:13 GMT

I'm 81.10 and Zones don't even show up in the "Filter" option when selecting a translated source.

I can use them in Original Source and Original Destination, but not translated columns.

Re: Automatic HIDE NAT for BGP Failover without ISP Redundancy

Chris_Atkinson — Mon, 09 Jan 2023 11:53:48 GMT

Gateway version?

To be honest (though I've not tested it) I was thinking they would be used in the destination context i.e. traffic towards zone A hide behind a certain address, traffic towards zone B hide behind a different address.

Re: Automatic HIDE NAT for BGP Failover without ISP Redundancy

dphonovation — Mon, 09 Jan 2023 11:53:02 GMT

Same, 81.10.

Re: Automatic HIDE NAT for BGP Failover without ISP Redundancy

Chris_Atkinson — Mon, 09 Jan 2023 12:03:12 GMT

Do you have existing Zone objects that you use elsewhere in your policy / assigned to interfaces or are there none defined yet?

I'll take a look in my lab later this evening...

Re: Automatic HIDE NAT for BGP Failover without ISP Redundancy

dphonovation — Mon, 09 Jan 2023 12:03:25 GMT

Indeed I do and would even prefer to keep using them.

Re: Automatic HIDE NAT for BGP Failover without ISP Redundancy

the_rock — Mon, 09 Jan 2023 12:19:02 GMT

@Chris_Atkinson is right, zones do work in R81 with nat tules. Does it now give you an option to add them? I just tested in my lab and its there for both src/dst.

Re: Automatic HIDE NAT for BGP Failover without ISP Redundancy

dphonovation — Mon, 09 Jan 2023 12:35:09 GMT

It is not. Only in Original Source and Original Destination. Not Translated columns:

I'm also still unable to recreate the "Automatic Hide NAT rules" manually (as we discussed above) without getting "Invalid Object Subnet A in Translated Source of Address Translation Rule. Valid objects are host, gateway, gateway cluster, router, dynamic object and address range with one object"

I'm defo 81.10, show version all:

Product version Check Point Gaia R81.10
OS build 335
OS kernel version 3.10.0-957.21.3cpx86_64
OS edition 64-bit

Re: Automatic HIDE NAT for BGP Failover without ISP Redundancy

the_rock — Mon, 09 Jan 2023 12:40:19 GMT

You cant add them in translated column, only original, so thats expected. As far as creating manual hide nat rules, I would need to see for myself.

Re: Automatic HIDE NAT for BGP Failover without ISP Redundancy

Chris_Atkinson — Mon, 09 Jan 2023 12:54:05 GMT

For reference this is the rule I just verified / installed in the lab (haven't done any testing beyond this point).

Both the Original Source & Original Destination reference zone objects that I located via text search.

Re: Automatic HIDE NAT for BGP Failover without ISP Redundancy

dphonovation — Mon, 09 Jan 2023 18:35:40 GMT

Yes, I can do that. But my objective here is outgoing NAT.

Interface A is ISP1

Interface B is ISP2

Both are advertising a default route to me, I'm preferring ISP1 - so by default I am NAT'ing behind the IP of interface A.

But if ISP1 goes down, ISP2's default routes take over.

I would need the NAT to change to Interface B.

With your screenshot, since it would always use the first NAT rule - it would attempt to NAT behind an ip of an interface that is down.